Hi, On Fri, 17 Oct 2014, Brian May wrote: > Package: pound [...] > The security check at https://www.ssllabs.com/ssltest/ reports: > > Secure Client-Initiated Renegotiation Supported DoS DANGER > It gives a link to the following page: > https://community.qualys.com/blogs/securitylabs/2011/10/31/tls-renegotiation-and-denial-of-service-attacks
Looking at the patch in the package: http://sources.debian.net/src/pound/2.6-2/debian/patches/anti_beast.patch/ It seems to have provision related to renegotiations... the code seems to accept the first renegociation and reject the following ones. Is the above security checked tricked by this? Weirdly the patch mentions https://www.ssllabs.com/ssldb/ as a way to test the fix though... I'm putting the patch author in copy to have his opinion on this. Proof-reading that patch I wonder if there isn't a mistake in the way it handles SSL_CTX_set_app_data. Roughly it does: res->allow_client_reneg = ... SSL_CTX_set_app_data(pc->ctx, res); Later in the callback: RENEG_STATE *reneg_state; reneg_state = (RENEG_STATE *)SSL_get_app_data(ssl) (where RENEG_STATE is an enum) I wonder if we should not do something like this instead (in the callback): LISTENER *listener; RENEG_STATE *reneg_state; if ((listener = (LISTENER *)SSL_get_app_data(ssl)) == NULL) return; reneg_state = &(listener->allow_client_reneg); > There is a setting that looks like it should disable > this, SSLAllowClientRenegotiation. However the default is disabled, and > this problem occurred. Furthermore, even if I > include "SSLAllowClientRenegotiation 0" in my configuration I still get > this warning. I also wonder whether the documented values are corrected because the RENEG_STATE enum has: RENEG_INIT => 0 (accepts a single renegociation and then reject) RENEG_REJECT => 1 (always reject) RENEG_ALLOW => 2 Would be interesting to try with the above change and possibly with other values like "1" which seems to be "always reject". Cheers, -- Raphaël Hertzog ◈ Debian Developer Support Debian LTS: http://www.freexian.com/services/debian-lts.html Learn to master Debian: http://debian-handbook.info/get/ -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
